Identifying Attack Surfaces and Threat Vectors

Understanding the methods by which threat actors infiltrate networks and systems is essential for assessing the attack surface of networks and deploying controls to block attack vectors.

Attack Surface and Threat Vectors

The attack surface is defined as all the points at which a malicious threat actor could attempt to exploit a vulnerability. It includes any location or method where a threat actor can interact with a network port, application, computer, or user, thus forming a potential attack surface. Minimizing this attack surface involves restricting access such that only a few known endpoints, protocols/ports, and methods or services are permitted. Each of these points must be thoroughly assessed for vulnerabilities and continuously monitored for intrusions.

Steps to Assess the Attack Surface:

Public-facing servers being hacked within a local network.
Public-facing servers connected to a local network suffering from denial of service.
Public-facing name servers being hacked.
Messaging systems that allow transmission of malicious attachments to private computers.
Internal servers being compromised via malicious devices introduced on site.
Unmonitored devices (shadow IT) leading to backdoors being opened by employees.
Misuse of permissions by malicious insiders.

Understanding Threat Vectors

From a threat actor's perspective, each component of the attack surface represents a potential vector for attempting an intrusion. A threat vector is the path utilized by a threat actor to execute attacks such as data exfiltration, service disruption, or disinformation. \n

Multistage Campaigns

Sophisticated threat actors typically employ multiple vectors to plan a multistage campaign rather than a single quick attack. Highly skilled threat actors can develop novel vectors, indicating that their understanding of your organization’s attack surface could surpass your own.

An organization possesses an overall attack surface but can also evaluate limited scopes, like that of a single server, computer, web application, or employee identities and accounts. The attack surface for external actors is generally smaller compared to that for insider threats.

Terms Distinction

The terms threat vector and attack vector are often used interchangeably. However, some sources differentiate the usage by associating threat vector with the theoretical analysis of potential attack surfaces and attack vector with real exploits that have successfully been executed.

Vulnerable Software as a Threat Vector

Vulnerable software refers to programs that contain flaws in their code or design that can be exploited to bypass access control or crash the system. Such vulnerabilities can often only be exploited under specific circumstances and are typically patched swiftly by the vendor. Given the complexity of modern software and the frequency of new releases, it is nearly impossible to ensure that any software is completely free from vulnerabilities. Moreover, organizations might lack an effective patch management system, resulting in vulnerable software being a commonly exploited threat vector.

Factors Increasing Vulnerable Software Vectors

The multitude of operating systems and applications running on an organization’s devices—servers, clients, and cloud networks—directly increases the attack surface. To mitigate risks, organizations should:

Consolidate to fewer products.
Ensure uniform version deployment across the organization.

Impact of Software Vulnerabilities

The implications of a software vulnerability can vary considerably. For instance:

An Adobe PDF document reader vulnerability might allow threat actors to gain access through a specific workstation.
A vulnerability in transport security server software could endanger cryptographic keys essential for secure web services.

Unsupported Systems and Applications

Unsupported systems and applications are particularly vulnerable, as no updates or patches are provided by their vendors. Without the organization's ability to patch the faulty code themselves, these solutions are highly susceptible to exploitation.

Strategy for Unsupported Applications

One mitigation strategy for unsupported applications is to isolate them from other systems, thereby reducing opportunities for threat actors to access vulnerable applications and execute exploit code. This isolation acts as a compensating control for lack of patch management.

Scanning Techniques in Vulnerability Management

Client-Based vs. Agentless Scanning: Scanning software automates the discovery and classification of software vulnerabilities but can be exploited by threat actors for reconnaissance against a target.

Client-Based Scanning: Involves installing an agent that runs a scanning process on each host, reporting data back to a management server.
Agentless Scanning: Allows scans to occur without installation, typically used during threat actor reconnaissance.

Classification of Exploit Techniques

Exploits can be classified into:

Remote Vulnerabilities: Could be exploited by sending code to the target over a network without needing an authenticated session.
Local Vulnerabilities: Require exploit code to be run in an authenticated session on the machine.

Network Security Attributes

To minimize risks stemming from software vulnerabilities, administrators must work to eliminate unsecure networks, defined by the absence of key attributes:

Confidentiality: The requirement for protecting sensitive information from unauthorized access, with threats often manifesting as eavesdropping attacks.
Integrity: The assurance that data is protected against unauthorized modification and manipulation, with threats identified as on-path attacks.
Availability: Ensuring that services remain operational, with threats associated with Denial of Service (DoS) attacks.

Network Threat Vectors

Vulnerable software offers threat actors avenues to execute malicious codes. Actionable exploit techniques can either be remote or local, necessitating the establishment of a secure network with access control and cryptographic solutions for user authentication and audit.

Direct Access Attack Vectors

Physical Access: An attacker may physically access the site to perpetrate an attack.
Wired Networks: Unauthorized devices may be connected to physical network ports, risking exploitation.
Remote/Wireless Networks: Credential compromise or spoofing trusted resources allows threat actors entry.
Cloud Access: Weak credentials may be targeted on cloud services.
Bluetooth Networks: Vulnerability exploitation or misconfiguration can lead to unintended file transmission.
Default Credentials: Leaving devices configured with factory default passwords presents security risks.
Open Service Ports: Necessary ports for functionality expose potential vulnerabilities if not secured adequately.

Strategies to Reduce Attack Surface

Use secure design principles, access controls, firewalls, and intrusion detection systems to tighten measures against exploit attempts.

Lure-Based Vectors

In cybersecurity vernacular, a lure refers to something that initially attracts or piqued interest but may conceal harmful elements, akin to a concealed hook. In cyber contexts, this could involve an individual opening a malicious file bait that delivers a payload, granting control to the threat actor.

Types of Lures

Executable Files: Conceal exploit code within program files, as seen with Trojan Horse malware.
Document Files: Embed malicious code in document formats like Word or PDF, often utilizing scripting features or exploiting software vulnerabilities.
Image Files: Hide exploit code in image files designed to exploit vulnerabilities in software used to view those files.
Removable Devices: Malware concealed in USB drives can infect systems when the media is connected.

The drop attack strategy involves leaving infected USB sticks in strategic areas with the hope a target unknowingly connects them to their devices.

Understanding the methods by which threat actors infiltrate networks and systems is essential for assessing the attack surface of networks and deploying controls to block attack vectors.

Attack Surface and Threat Vectors

Steps to Assess the Attack Surface:

Public-facing servers being hacked within a local network.
Public-facing servers connected to a local network suffering from denial of service.
Public-facing name servers being hacked.
Messaging systems that allow transmission of malicious attachments to private computers.
Internal servers being compromised via malicious devices introduced on site.
Unmonitored devices (shadow IT) leading to backdoors being opened by employees.
Misuse of permissions by malicious insiders.

Understanding Threat Vectors

Multistage Campaigns

Terms Distinction

Vulnerable Software as a Threat Vector

Factors Increasing Vulnerable Software Vectors

Consolidate to fewer products.
Ensure uniform version deployment across the organization.

Impact of Software Vulnerabilities

The implications of a software vulnerability can vary considerably. For instance:

An Adobe PDF document reader vulnerability might allow threat actors to gain access through a specific workstation.
A vulnerability in transport security server software could endanger cryptographic keys essential for secure web services.

Unsupported Systems and Applications

Strategy for Unsupported Applications

Scanning Techniques in Vulnerability Management

Client-Based Scanning: Involves installing an agent that runs a scanning process on each host, reporting data back to a management server.
Agentless Scanning: Allows scans to occur without installation, typically used during threat actor reconnaissance.

Classification of Exploit Techniques

Exploits can be classified into:

Remote Vulnerabilities: Could be exploited by sending code to the target over a network without needing an authenticated session.
Local Vulnerabilities: Require exploit code to be run in an authenticated session on the machine.

Network Security Attributes

To minimize risks stemming from software vulnerabilities, administrators must work to eliminate unsecure networks, defined by the absence of key attributes:

Confidentiality: The requirement for protecting sensitive information from unauthorized access, with threats often manifesting as eavesdropping attacks.
Integrity: The assurance that data is protected against unauthorized modification and manipulation, with threats identified as on-path attacks.
Availability: Ensuring that services remain operational, with threats associated with Denial of Service (DoS) attacks.

Network Threat Vectors

Direct Access Attack Vectors

Physical Access: An attacker may physically access the site to perpetrate an attack.
Wired Networks: Unauthorized devices may be connected to physical network ports, risking exploitation.
Remote/Wireless Networks: Credential compromise or spoofing trusted resources allows threat actors entry.
Cloud Access: Weak credentials may be targeted on cloud services.
Bluetooth Networks: Vulnerability exploitation or misconfiguration can lead to unintended file transmission.
Default Credentials: Leaving devices configured with factory default passwords presents security risks.
Open Service Ports: Necessary ports for functionality expose potential vulnerabilities if not secured adequately.

Strategies to Reduce Attack Surface

Use secure design principles, access controls, firewalls, and intrusion detection systems to tighten measures against exploit attempts.

Lure-Based Vectors

Types of Lures

Executable Files: Conceal exploit code within program files, as seen with Trojan Horse malware.
Document Files: Embed malicious code in document formats like Word or PDF, often utilizing scripting features or exploiting software vulnerabilities.
Image Files: Hide exploit code in image files designed to exploit vulnerabilities in software used to view those files.
Removable Devices: Malware concealed in USB drives can infect systems when the media is connected.

The drop attack strategy involves leaving infected USB sticks in strategic areas with the hope a target unknowingly connects them to their devices.

Message-Based Vectors

When using a file-based lure, the threat actor needs a mechanism to deliver the file and a message that will trick a user into opening the file on their computer. Consequently, any features that allow direct messaging to network users must be considered as part of the potential attack surface:

Email: The attacker sends a malicious file attachment via email, or via any other communications system that allows attachments. The attacker needs to use social engineering techniques to persuade or trick the user into opening the attachment.
Short Message Service (SMS): The file or a link to the file is sent to a mobile device using the text messaging handler built into smartphone firmware and a protocol called Signaling System 77 (SS7SS7). SMSSMS and the SS7SS7 protocol are associated with numerous vulnerabilities. Additionally, an organization is unlikely to have any monitoring capability for SMSSMS as it is operated by the handset or subscriber identity module (SIMSIM) card provider.
Instant Messaging (IM): There are many replacements for SMS that run on Windows, Android, or iOSdevices. These can support voice and video messaging plus file attachments. Most of these services are secured using encryption and offer considerably more security than SMS, but they can still contain software vulnerabilities. The use of encryption can make it difficult for an organization to scan messages and attachments for threats.
Web and Social Media: Malware may be concealed in files attached to posts or presented as downloads. An attacker may compromise a site so that it automatically infects vulnerable browser software (a drive-by download). Social media may also be used more subtly, such as a disinformation campaign that persuades users to install a "must-have" app that is actually a Trojan.
Zero-Click Exploits: The most powerful exploits are Zero-click. Most file-based exploit code has to be deliberately opened by the user. Zero-click means that simply receiving an attachment or viewing an image on a webpage triggers the exploit.
Social Engineering via Messaging: Message-based vectors can also be exploited by a threat actor to persuade a user to reveal a password or weaken the security configuration using some type of pretext. This type of attack might be perpetrated simply by placing a voice call to the user.

Supply Chain Attack Surface

A supply chain is the end-to-end process of designing, manufacturing, and distributing goods and services to a customer. Rather than attack the target directly, a threat actor may seek ways to infiltrate it via companies in its supply chain. One high-profile example of this is the Target data breach, which was executed via credentials held by the company's building systems vendor.

Procurement Management

The process of ensuring reliable sources of equipment and software is called procurement management. It is helpful to distinguish several types of relationships:

Supplier: Obtains products directly from a manufacturer to sell in bulk to other businesses (B2B).
Vendor: Obtains products from suppliers to sell to retail businesses (B2B) or directly to customers (B2C). A vendor might add customization and direct support.
Business Partner: Implies a close relationship where companies share aligned goals. For example, Microsoft develops partner relationships with original equipment manufacturers (OEMs) and solutions partners to expand markets while providing certification and training to improve security awareness.

Complexity and Breadth

Each supplier and vendor has its own supply chain, extending even to delivery companies and couriers. This complexity exposes organizations to a massive attack surface. For a computer motherboard to be trustworthy, the entire chain must be secure:

Chip manufacturer
Firmware code developer
OEM reseller
Courier delivery company
Administrative staff responsible for provisioning

Modification of hardware or firmware at any step could create unmonitored backdoor access.

Establishing Trust

Establishing a trusted supply chain means denying malicious actors the resources to modify assets.

Most businesses rely on using reputable vendors as a practical security effort.
Government, military, and large enterprises exercise significantly greater scrutiny.
Particular care must be taken with secondhand machines.

Managed Service Providers (MSP)

An MSP provisions and supports IT resources like networks, security, or web infrastructure. While cost-effective, this type of outsourcing is complex because monitoring the MSP can be difficult, and its employees represent potential insider threats.

Business Email Compromise (BEC)

While phishing is typically associated with mass mailers, Business Email Compromise (BEC) refers to a sophisticated campaign targeting specific individuals, typically executives or senior managers.

Execution: The attacker puses as a colleague or vendor, performing deep reconnaissance to understand the target's role and psychological profile.
Lack of Obvious Indicators: BEC often avoids spoofed links or malware, relying instead on pretexts or compromised legitimate mail accounts.
Targeted Variations:
- Spear Phishing: Targeting specific individuals.
- Whaling: Targeting high-influence employees.
- CEO Fraud: Impersonating high-level executives to authorize fraudulent transfers.
- Angler Phishing: Using social media as the attack vector.

Brand Impersonation and Disinformation

Brand impersonation involves accurately duplicating a company's visual identity (logos, fonts, styles) to create visually compelling fake websites or messages.

Tactics: Attackers may use realistic content to boost search result rankings of phishing sites.
Distinction of Terms:
- Disinformation: A purposeful motivation to deceive and manipulate.
- Misinformation: Repetition of false claims or rumors without the explicit intention to deceive.

Watering Hole Attack

A watering hole attack relies on a group of targets that use an unsecure third-party website (e.g., an e-commerce staff using a local food delivery site).

Mechanism: The attacker compromises the third-party site to host exploit code. When the intended targets visit the site, their computers are infected, allowing the attacker to penetrate the main organization's network.